Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Upgrade AD

$
0
0

Hi,

We have One domain and which has 10 DC with mix of windows 2008r2, windows 2012 and windows 2016. The current domain functional level is windows 2008 r2. All FSMO rolls are on windows 2008r2 server. Now we want to upgrade domain functional level to windows 2016.How can we do?  Now raise domain functional level no option to upgrade. Our all DCs are working fine without any issues. Please guide me with tutorial if possible. We have ADFS and ADFS proxy servers with windows 2008r2 OS.

Thanks.


customized password expiration message

$
0
0

We have Windows 2012 R2 domain and in the process of upgrading to 2016 AD.

I want to create customize password expiration message in active directory that notifies my domain users that their password with customized message with guidelines.

How can i create customized password expiration message?

Thank You 

Tek-Nerd

Can't Demote Windows 2012 R2 DC - DCPROMO - Access is denied. Account is in "Enable computer and user accounts to be trusted for delegation"

$
0
0

Hello!

   I have two Windows Server 2012 R2 DC's which I'd like to demote from a domain leaving two Windows Server 2019 DC's to remain as the sole DC's.  When I try to demote the 2012 R2 DC's I get a message "The operation failed because: The Active Directory Domain Services Installation Wizard (DCpromo.exe) would not configure the computer account <2012 DC> on the remote Active Directory Domain Controller <2019 DC>.  Verify that the user running dcpromo.exe is granted the "Enable computer and user accounts to be trusted for delegation" user right in the Default Domain Controllers Policy.  The error was: Access is denied".

   I tried both my domain admin account and the domain Administrator account and both get this same error.  Both of these accounts are added to the "Enable computer and user accounts to be trusted for delegation" user right in the Default Domain Controllers Policy.  

   "repadmin" shows that everything is replicated between all DC's.  In fact the only hint that I see of any AD problem is that in the Group Policy Management  is that from "Detect Now" on the status page, the two older DC's show that replication in progress.  (And this never changes).

   Anyone have any idea what I should look at?  I suppose I could just do a "Force" on the DCPROMO demotion and then clean up the metadata by following the steps to manually remove a failed DC.

   I appreciate anyone's help!

dave

LAPS GPO deployed, Fat client UI missing

$
0
0

I have installed LAPS on client computers using GPO. It is only the .dll file that was installed, the Fat Client UI is missing.
How do I correct that?

When does the machine account password update fail

$
0
0

We have a linux machine comp1 which is connected to Microsoft Windows Active Directory i.e we have a machine account created on the AD server. Along with that, we have domain user accounts created on AD server. Hence when those users login to comp1, they are authenticated using their AD accounts.

As per my limited knowledge, the machine (comp1) account secret/password keeps changing periodically and this change is initiated by the client (comp1). Once this the secret/password for comp1 account is updated on the AD server, then it is updated locally on comp1. For Linux, there is a process which handles this in the background.

In our customer's environment, I observed in the logs that, the secret/password change was done on 11/21 after which we started seeing PreAuthentication failures.

My question is that, is it possible that the secret/password change for Machine Account which it initiated fail to get updated on AD server resulting into a miss match ? Is there any similar known issue for any windows AD server versions i.e Machine Account password update fails?

DFS and roaming profiles and home folders

$
0
0

Guys,

When in a DFS environment, how should i create roaming profiles and home folders ? Anyone who has a decent tutorial for that?

I dont think it would be wise to let the profiles be synced. The homefolders could be synced by DFS, i guess.

thanks in advance. 

How to grant Admin rights on DC without giving Domain Admins rights?

$
0
0
In our team we had to split our duties (OS admins, AD admins, DNS admins etc)
Team responsible for OS management needs to have full administrator rights on all servers including DCs.
And with DCs things get complicated. We do not want to give full Builtin\Domain Admins or Builtin\Administrators rights. We need to restict permissions to AD and GPO. But they should have all other rights (Server Operators group is NOT ENOUGH).
Moreover I don't want to deny access because it is not advised by Microsoft and some rights may need to be delegated in future.

I have found one solution but I'm not sure if this won't cause issues (sooner or later).

What I want to do is the following (tested in lab):
1. Log in to DC with Domain Admins rights
2. Create new group: "DCAdmins" and add OS Admins there.
3. Navigate to DSA.msc right click on domain > properties > security.
4. On security tab choose builtin\Administrators group and REMOVE group (yes remove). Apply, close.
5. Open builtin\Administrators group and add created in 2nd step DCAdmins group.

From what I can tell everything works as treat (at least for now). OS Admins have full Administrators rights without permissions to AD, GPO, DNS etc.
Can someone tell something more about this solution. Is it save to perform such operation on LARGE environment with 20 DCs? Maybe there is another way?

Oh and:
Domain Functional Level is Windows 2012 R2
Forest Functional Level is Windows 2003

Local Admin GPO Strange Behavior

$
0
0

Hi I have a problem with GPO. We have LAPS configured.  All computers located in one OU named Corp_Computers. Also we have group named "workstation_admins"( members are helpdesks) which granted to read LAPS passwords. Also granted member of local administrators group of computers. Now we want to create separate OUs in Corp_Computers OU for sub company computers and create groups for each for helpdesk users( exp : a_workstation_admins). Remove parent GPO and create GPO for each OU for local administrators group membership. But thinks get stranger from this. When i applied GPO for A_Corp_Computers( Local admins GPO setting configured with GPO preferences) workstation_admins and a_workstation_admins in here. I create separate OU and try without any configured GPO only default domain policy(unconfigured) and did gpupdate /force  but workstation_admins appears in Administrators goup.

Sorry for my bad English 


Local Administrators Group Members Strange Behavior

$
0
0
Hi i have a problem with Local administrators on Windows 10 computers. recently we deploy and update local administrator groups our windows 10 clients. We have group namedworkstation_admins(have members user1 and user2). We deploy GPO for clients and GPO applied ( with GPO preferences) and local administrator group shows correct members likedomain admins and workstation_admins. But thinks get interesting from now. user1 credentials accepted for example installing app but user2 credentials not accepted and gave error like this : this attempt required elevation or something like that

UAC page wont shown to admin to enter credentials

$
0
0
Hi. I configured BitLocker on my host machines. It worked perfectly. But some users forget their password .So I have to reset it using recovery key. When windows open ,now it is time to change pin. I connected to remotely to host using MSRA(remote connection software) and clicked  "Reset a forgotten pin" UAC opens to enter admin credentials. I see nothing only black screen but my host sees that UAC opend and require admin credentials. Could you please tell me how could I see same UAC page that host sees. Without seeing that page I coudnt enter admin and password.It is so urgent please help me to solve this issue.

AD CS - Restricted enrollment agents issue

$
0
0
Hello, everybody.

Currently I'm struggling to implement something according to this docs.
For simplicity sake, my test setup is configured with single enrollment agents group and single certificate template. My goal is to prevent enrollment agents from issuing certificates to some priviledged users. To make that happen I have configured two following permission entries for restricted enrollment agents:
DOMAIN\Domain Users - Allow
BUILTIN\Administrators - Deny

And what if particular user is a member (direct or indirect) of BOTH of the above groups? What is the effect of above restrictions? Will the certificate request be allowed or denied? Common sense suggests that the request should be denied. But in my test environment it is not, which is very confusing. I tried many different combinations of denied/allowed groups and have got contradicting results.

The ultimate question is - what is definitive way to allow enrollment agent to request certificate on behalf of ANY user, EXCEPT members of particular domain security groups (local, global, universal, in this domain, in the whole forest, and including members of BUILTIN\ groups).
I havent found any particular guidance in Microsoft documentation or otherwise. It would be great if you shed some light on this matter.

Thanks in advance.

Renaming Active Directory Server ws2008 r2

$
0
0

Im are planning to migrate ad server from ws2008 to ws2012 (new server hardware), and i plan to use a different server name. Is it possible to maintain the old server name as an alias, the purpose of doing this is to make sure no issue for any application that currently using the old name for querying ad server.

Ive found some article about renaming ad server, is this valid for my situation

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816601(v=ws.10)


Domain A (ADFS) Authentication to Domain B(RDS) with no domain trust

$
0
0

Hi,

Hoping someone could answer my question. We have a customer on Domain A currently with a domain trust to our environment Domain B, we host an RDS collection and they authenticate with their Domain A credentials to be able to access their Remote Apps over a site-to-site VPN. They wish to remove the Two-Way domain trust now and suggested using ADFS for authentication.

Is this possible? Without a domain trust how can we authenticate their users to our environment without their users needing to log in multiple times?

Thanks

C

Server 2012R2 GPO not updating on clients

$
0
0

I have been using Windows Server for years and this problem has hit a dead end.

Server 2012R2 Active Directory office environment (primary/secondary servers), removed Interactive Logon message 48 hours ago, and can not get the message to delete off from the clients.  Refresh time on clients is set to 60 mins, server refresh is 30 mins, rebooted everything several times, have run every manual gpupdate option several times, no errors in output of "gpresult /v >c:\gpresult.txt", and the clients registry keys which I can not get to update is Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.

Any help much appreciated.

How to secure and improve the active directory infra

$
0
0

Dear folks,

Please guide me, How to secure and improve my active directory environment,

Is there any automation script?

Such as,

GPO backup/restore,

SSB backup/restore,

DHCP backup/restore,

DNS Backup/restore,

Please share me such kind of further improvements,


DFSR Health Reports - root files can't be replicated and don't exist

$
0
0

I'm trying to understand the output of this DFSR report. It's saying certain files can't be replicated in the root. When I look at the root of the folder and show hidden and system files I do not see the files listed in the report. Here is one example. I have another DFSR relationship that shows many more instances. Any ideas what causes this?

DFS and roaming profiles and home folders

$
0
0

Guys,

When in a DFS environment, how should i create roaming profiles and home folders ? Anyone who has a decent tutorial for that?

I dont think it would be wise to let the profiles be synced. The homefolders could be synced by DFS, i guess.

thanks in advance. 

DCpromo fail for iScsi disk

$
0
0

Dear Support, 

We cannot DCpromo Windows Server with the following error message for Prerequisites Check. 
Error Message:
Verification of prerequisites for Domain Controller promotion failed. The folder D:\Windows\NTDS does not refer to a valid hard disk. Select a folder on a hard disk drive. 

Could you have any idea?

Thanks!

Best Regards, 
Daniel

User information

$
0
0
Hi Experts

I want to get the below information from shell for one user, plz help me with syntax

User Name
Full Name
Account Active
Account expires
Password Last Set
Password expires
Password changeable
user group membership
Last logon

GPO to install and configure SNMP

$
0
0

Hello,

I've been trying to follow some posts out there that show how to setup and configure the SNMP feature in Windows server, however, the GPO alone never installs the service. I don;t know if I'm missing a step , or if it isn't possible to install the feature with a GPO.

I created a single GPO that creates a firewall rule to allow ICPMv4, and in the same GPO I have configured the settings for a typical snmp configuration.

I tried to follow this posts without editing the registry because I don't think it applies in my case:

https://glazenbakje.wordpress.com/2016/03/18/microsoft-snmp-settings-via-group-policy/

Is it possible that you can configure the settings in GPO but not actually install the feature? That would seem a little useless so I hope that's not the case. I could probably run a PS script from GPO if necessary.

Thanks

Viewing all 31638 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>